Suing Our Way to Better Security?

It is always tragic when news about data breaches and public dumps of said data affect tremendous numbers of victims.

The prevalence of these occurrences devalues each victim's identity to a point as to which I am sure, if asked, the victim would pay the frivolous amounts to the criminal networks to save the greater issues that come with identity theft.

It does not seem like the top leaders at organizations are as concerned with others' information as they might be with the bottom line.

What is the incentive? SOX or PCI compliance for stock options, or for the ability to use credit cards in the revenue stream?

We hear about massive compromises, but do not hear much about the repercussions of the breaches or the lack of concern for the security of customer's sensitive information.

If regulations do not influence business and security leaders, maybe fear of being the subject of a class action lawsuit might show the massive cost risk in the business model for security complacency.

Linkedin.com had about 6.4 million passwords dumped onto a Russian web site in a hashed form to be able to be cracked for those interested.

A few humorous articles showing the weaknesses of some of the passwords came about as a result, but I don't believe the user names of victims were published leaving this legal filing a little weak.

The punitive damages don't equate either, and I imagine the biggest winners for a situation like this are the litigators involved and the filing defendant.

However, it may open some eyes because money is going to have to be paid to the lawyers to defend against this, even if it does not have a solid legal basis or the show the ability to figure out the class of defendants or the true damages caused.

Whether I agree with this case or not, there has to be something done to generate true concern about the state of today's security and the treasures held on public Internet facing nodes.

If organizations do not respond to fear of embarrassment for failing at security, should we start taking them to court to formulate better consumer protections?

Marc Quibell
Nice write-up. You're right, I don't believe this case has a leg to stand on. Passwords alone do not equate to PII and the plaintiff clearly relies upon PII being the main course in this case. It is not.

The real crux is your question about how to make big data-handling companies care more about our data. The problem is that that is all relative. There was no PII in this case, so what is the damage to the user in the case with LinkedIn? I would also submit that LinkedIn played it smart by not associating usernames with passwords in the database...

1340455564

Marc Quibell
Are you suggesting Terry that LinkedIn is lying about storing the passwords with the userID?

1340650302

Terry Perkins
I do believe that LinkedIn stored the email and with the passwords. I had an embarrassing incident occur that proves this theory.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.